iCompaas Support

Profile Applicability:
 • Level 2

Description:

Amazon Elastic File System (EFS) must be properly integrated with the Virtual Private Cloud (VPC) to ensure that EC2 instances and other resources within the VPC can securely access the file system. This involves configuring EFS mount targets within the VPC and ensuring that security groups, network ACLs, and VPC route tables are properly set to allow the necessary network traffic for file system operations.

Rationale:

Integrating EFS with VPC ensures secure and reliable communication between EC2 instances (or other resources) and the file system. By configuring the EFS mount targets in each Availability Zone of the VPC, you ensure that the file system is highly available and accessible to multiple resources. Proper security group and access control configurations ensure that only authorized instances or services can access the EFS file system.

Impact:

Pros:

• Ensures secure and reliable access to EFS resources from EC2 instances and other VPC resources
  

• Provides high availability by creating mount targets in multiple Availability Zones within the VPC
  

• Integrate seamlessly with VPC security settings (e.g., security groups, network ACLs)
  

• Enhances network performance by keeping EFS traffic within the VPC
  

Cons:

• Requires careful configuration of network and security settings to prevent unauthorized access
  

• Potential misconfiguration of security groups and ACLs may cause access issues
  

• Additional management overhead for setting up and maintaining mount targets across Availability Zones
  

Default Value:

By default, EFS is not automatically integrated with VPC. You must manually create mount targets in the VPC for each Availability Zone that needs access to the file system.

Pre-requisites:

• IAM permissions to create and manage EFS and VPC resources
  

• Existing VPC setup with subnets, security groups, and routing in place
  

• EC2 instances or other resources within the VPC that need to access the file system
  

• A defined strategy for security groups and access controls for EFS
  

Remediation:

Test Plan:

Using AWS Console:

1. Sign in to the AWS Management Console
   

2. Navigate to EFS > File Systems
   

3. Verify that the EFS file system is created and integrated with the VPC
   

4. Ensure that mount targets are created in the appropriate subnets of the VPC to enable access from EC2 instances
   

5. Check that security groups are correctly associated with the EFS mount targets to restrict access to authorized resources
   

6. Review network ACLs and route tables to ensure proper connectivity between EC2 instances and the EFS mount targets
   

Using AWS CLI:

List all EFS file systems to confirm the file system exists:

aws efs describe-file-systems

Describe the mount targets for the file system to verify their configuration in the VPC:

aws efs describe-mount-targets --file-system-id <file-system-id>

Verify the security group associated with the mount targets:

aws efs describe-mount-targets --file-system-id <file-system-id> --query "MountTargets[*].SecurityGroups"

Confirm that EC2 instances can access the mount targets using security group rules and VPC routing:

aws ec2 describe-security-groups --group-ids <security-group-id>

Implementation Plan:

Using AWS Console:

1. Sign in to the AWS Management Console
   

2. Navigate to EFS > File Systems
   

3. Click Create File System or select an existing file system
   

4. Select the VPC in which the file system should reside
   

5. In the Mount Targets section, click Add Mount Target
   

6. Choose the subnets where you want to create mount targets (typically in different Availability Zones for high availability)
   

7. Assign security groups to the mount targets to control access (e.g., allowing NFS traffic from EC2 instances)
   

8. Click Create Mount Target to finalize
   

9. After creation, ensure that the EC2 instances are properly configured with the correct security group rules to access the EFS file system
   

Using AWS CLI:

Create a mount target in a specific subnet within the VPC:

aws efs create-mount-target \
  --file-system-id <file-system-id> \
  --subnet-id <subnet-id> \
  --security-groups <security-group-id>

Verify the mount targets for the file system:

aws efs describe-mount-targets --file-system-id <file-system-id>

Check that the security group associated with the mount targets allows access from EC2 instances:

aws ec2 describe-security-groups --group-ids <security-group-id>

Mount the EFS file system on an EC2 instance:

sudo mount -t efs <file-system-id>:/ /mnt/efs

Backout Plan:

Using AWS Console:

1. Navigate to EFS > File Systems
   

2. Select the EFS file system
   

3. Click Delete Mount Target to remove the mount target from the VPC
   

4. Review any affected EC2 instances and ensure they are reconfigured if necessary
   

5. If needed, delete the EFS file system by selecting Delete File Syste
   

Using AWS CLI:

Delete a mount target for the file system:

aws efs delete-mount-target --mount-target-id <mount-target-id>

Verify that the mount target is deleted:

aws efs describe-mount-targets --file-system-id <file-system-id>

If required, delete the EFS file system:

aws efs delete-file-system --file-system-id <file-system-id>

References:

• Amazon EFS Documentation
  

• AWS CLI EFS Command Reference
  Amazon EFS Best Practices